How often do people perform banking activities, or use the banking apps? Seldom enough to warrant some extra protections and caution around banking. Most people store their money in a bank, since there is an expectation that it is safer than under the mattress or in a Milo tin. It’s safer than keeping money on hand, and so we make it someone else’s problem by keeping it in a bank. Not the best use of cash, but it’ll do for floats and expenditure.
Recently, there’s been a rise of banking scams using text messages seemingly from the bank. These messages link to phishing websites that steal the user’s credentials and by extension, their money. I highlighted this possibility last year in my post on mobile phreaking. It’s interesting how many people have fallen prey to this scam, including millennials who lost their life savings. Let’s explore some possible ways to mitigate these banking scams.
Text Messages Suck
I’m reminded of a video five years ago which demonstrated how someone’s mobile account was taken over through social engineering. Several articles online would tell you never to use text messages for 2-Factor Authentication (2FA). Using a dedicated 2FA app such as Microsoft Authenticator would be far more protective. Microsoft Accounts are even making the shift to a passwordless future, and login is seamless. After entering their username, users just need to tap the correct option on their phone as shown on the screen during the login process, no password required.
Banks still largely rely on text messages for notifications and 2FA. Building these notifications and approvals into the app (such as gaming platform Steam’s SteamGuard) might help to prevent scams from happening. For example, a new login on the web may require that users approve the login from their authorized mobile app. The page should clearly state the action being performed, with additional contextual information such as scam warnings. There is more screen real estate within the app compared to text messages.
Likewise, transactions done outside of the user’s authorized mobile app should continue to require prompts for every action (with perhaps an option to disable further prompts for that session). These prompts should continue to provide users with information about actions taken (e.g. increasing transfer limit, setting up new digital token).
Sure, people would hate to get an email each time they logged in. Therefore, my recommendation isn’t to email users on every single login, especially if they are just logging in on their app through saved credentials. However, for web logins from new locations (based on IP address) or new mobile device logins, users should receive some form of notification on a separate platform other than what they were using (password/PIN and text messages).
For example, over at crypto exchange Bitfinex, users get a login notification with plenty of information and the ability to quickly freeze their account. In fact, users have granular control over their notifications so they can even disable this message if they don’t fancy this level of security.
If certain actions are taken, the account should be temporarily unable to perform large transactions for a small timeframe. This should include changing the account’s daily limit or adding a new digital token. A small timeout of 30 minutes should suffice, during which the user should be notified of said actions via text messaging and/or email. Hopefully, this is enough time to report the breach to the bank. In this case, the bank should also have a policy to respond to reports of fraudulent access within a set amount of time.
Taking an example from the crypto space, Hodlnaut allows users to specify a whitelist of addresses to transact with. If this feature is enabled (or disabled), users must wait 48 hours before they are able to perform transactions. Their rational for this is that the user would, by then, “realize that (their) account is hacked” and contact Hodlnaut to freeze the account.
One possible measure to mark messages as legitimate is by having users specify a “secret phrase” with the bank. This should be something unique (not the same as the account password) that only the bank and user knows, such as a number (“uwu” in the image example). If a bank sends a message to the user (whether through text messaging or email), the communication can include said secret phrase. Since the pre-decided secret phrase is unique and difficult to guess, the user can then be confident that the message is legitimate if they see the phrase.
Machine Learning Models
There should be checks on the bank’s end to look out for certain fraudulent activities. A user who has suddenly logged in from a previously unknown IP Address and is suddenly trying to remit large amounts of money overseas should be a cause for alarm, and the bank should have automatically frozen such transactions and requested further verification from the user.
It’s hard to picture a scenario where a legitimate user is suddenly draining their entire bank account after panic logging in from somewhere remote. Such behaviors warrant additional investigation from the bank’s fraud department.
Slow And Steady
Nowadays, there’s some expectation of the “instantaneous” (*shakes fists* millennials and their instant gratification!). People expect a FAST transfer to be, well, fast. PayNow transfers are seemingly instant. FAST and PayNow transfers within Singapore banks are generally safe, because there is a higher chance of recovery since the identity of the recipient can be uncovered by the police (unless they are a money mule).
Perhaps, transfers to overseas banks or “riskier” ones could add a slight but understandable delay. Currently, an overseas remit transaction seems to be near instant. Once that transaction is processed, it is difficult to recover as the bank needs to liaise with the receiving bank, transcending international boundaries and laws.
We could take inspiration here from crypto exchange FTX. When a transfer is initiated from the account, FTX has a slight delay before the transaction is actually carried out (it says “few hours” in the email, but 10 minutes is a better gauge). In this time, it sends an email to the user confirming a transfer has been initiated. A user is also able to login to FTX in this span of time and cancel the transaction completely.
Authorized Sender IDs
Institutions can apparently sign up (news to me) with the Infocomm Media Development Authority (IMDA)’s SMS SenderID protection registry. If it works the way it sounds, customers can be confident that text messages from the institution’s alphanumeric Sender IDs (e.g. “OCBC”) is legitimate. In turn, the institution can also ensure their name is not misused and that their customers are protected.
There is another call for IMDA to disallow unregistered alphanumeric Sender IDs. I think the above is friendlier, because a blanket ban may cause several problems with international services.
I can’t imagine many people still using text messages for non-official business. In fact, lots of official communication with businesses even takes place on WhatsApp. Advertisements shouldn’t be sent through text messages at all. Email is a much better platform, especially for messages that aren’t time sensitive. Alternatively, app notifications may give users a better experience. Emails and app notifications will probably be less intrusive and overall less annoying, which may be more effective.
Above all, links should be avoided. If absolutely necessary, the bank’s domain name should be used in full and users should be educated to verify it. No usage of third-party URL shorteners like Bit.ly should be used as it sets a dangerous precedence where users may be unable to tell the difference in the future.
Above all, we need to make sure the public is educated on scams. Our tech literacy needs to drastically increase if Singapore is to brand itself as a Smart Nation. This can start from the schools, since burden of handling IT and its trends (grudgingly) falls on the younger household members. An overwhelming number of Singaporeans are falling prey to a plethora of scams, including crypto, love, and job scams. Messaging definitely needs to be ramped up on this front, and institutions need to be on the look out for where people fall short.
Personally, I feel the bulk of the blame is on the consumer for falling for the phishing scams. OCBC has been extremely nice to make goodwill restitutions to the affected customers.
Technology is ever-changing and admittedly, it may be difficult for some to keep up. There will always be bad actors seeking to exploit existing systems, and it’s a constant battle for developers to cover all possible edge cases. To protect their systems from hackers and maintaining ease of use is already a monumental task. Having to protect customers from themselves is a huge ask and will take a lot of research in the user experience space.
- Hodlnaut lets you make your crypto work for you by generating high interest. Free US$20 when you sign up for Hodlnaut and deposit US$1000. Referral link!
- FTX is my favorite exchange, currently 4th largest volume in the world behind Binance, Huobi, and OKEx. It’s newer than the rest, but has shown to be far more innovative and has the best UIUX compared to others. Highly recommend them. It’s also possible to do bank transfers from local banks to them. They also have tokenized stocks like GME on the platform. Pretty complete! 5% off trading fees with my referral link.
- Gringotts Dragon © HarshLight on Flickr.